AI Sovereignty Standards Under Scrutiny: The 24% Rule Analysis

📊 Full opportunity report: AI Sovereignty Standards Under Scrutiny: The 24% Rule Analysis on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

TL;DR

European AI sovereignty standards include a unique 24% ownership cap to ensure legal control. This rule is under scrutiny as providers adapt through joint ventures, raising questions about its effectiveness and future impact.

The 24% ownership cap in France’s SecNumCloud framework is drawing increased attention as providers and regulators debate its effectiveness in ensuring European legal sovereignty. This rule, which limits foreign ownership to 24% per entity, is a core component of the legal sovereignty requirement, and its application is shaping the future of European cloud and AI regulation.

The SecNumCloud qualification, issued by France’s ANSSI, includes a 24% ownership threshold designed to prevent non-EU control over sensitive cloud services. This arithmetic-based ownership cap is distinctive among European standards, emphasizing legal sovereignty over mere security practices.

As of mid-2026, about ten providers, including OVHcloud, Outscale, and Scaleway, have obtained active SecNumCloud qualifications, with several more in progress. Major US-based hyperscalers like AWS remain ineligible for direct certification but have created joint ventures—such as Thales-Google S3NS and Capgemini-Orange Bleu—that comply with the 24% ownership rule. These arrangements allow foreign control through structured ownership while maintaining compliance with the sovereignty standard.

Experts note that the 24% rule is a blunt instrument, as it relies on ownership arithmetic rather than control or influence, raising questions about its actual effectiveness in guaranteeing legal sovereignty. The rule is also considered brutally difficult to achieve, with scalingo’s CEO comparing it to a level 10 difficulty on a 1-10 scale, compared to ISO 27001’s level 1.

At a glance
analysisWhen: developing, as of mid-2026
The developmentThe 24% ownership rule in SecNumCloud, a key European sovereignty standard, is being analyzed amid provider adaptations and regulatory debates.
The 24% Rule — Insights
AI Dispatch · Insights · 16 July 2026

The 24% rule: why most “sovereign cloud” certifications don’t test sovereignty

ISO 27001. SOC 2. BSI C5. Gaia-X. Every badge real, audited, correctly displayed — and not one answers the question that decides the deal: can a foreign government compel your data? Exactly one European framework tests that. It does it with a number.

◆ SecNumCloud’s sovereignty test — an ownership cap, not a security control
Capital & voting rights held by companies not based in the EU must not exceed 24% individually or 39% collectively. That’s it. Checkable from a cap table.
✓ QUALIFIES collective cap ✕ STRUCTURALLY INELIGIBLE
0 — 24% individual— 39% collective— 100% non-EU ownership
OVHcloud · Outscale · Scaleway · Numspot · Cloud Temple AWS · Azure · Google — structurally ineligible natively Cohere–Aleph Alpha at ~90% Canadian — ~4× over the cap ? Mistral — non-EU VC share never publicly tested
Sort the alphabet soup into two piles
Framework
What it actually tests
What it doesn’t
Ownership?
ISO 27001 / SOC 2
Security practice, controls, process
Jurisdiction. Entirely.
NO
BSI C5
Implemented controls + disclosure of place of jurisdiction. German federal baseline since 2022.
Immunity. You still document residual CLOUD Act risk in your DPIA.
NO
Gaia-X
Interoperability, portability, declared policies
It’s not a security audit — and AWS/Azure/Google are members
NO
EUCS (as drafted)
Security controls, 3 levels, mutual recognition
The “High+” sovereignty tier was stripped out. EUCS High ≠ CLOUD Act immunity.
NO
SecNumCloud
ANSSI qualification (the French State stands behind it). 360+ criteria · v3.2 · EU domicile · EU-only storage · audited key custody · the 24/39 cap
Nothing much — it’s ~10× ISO 27001’s complexity. Only ~9–10 hold it.
YES
BSI C5 — disclosure

C5 does cover place of jurisdiction, data location & disclosure obligations. It requires you to declare which law reaches you. C5 tells you the gun is in the room.

SecNumCloud — immunity

Requires that no non-EU law can reach you at all — enforced by the ownership cap. SecNumCloud requires there be no gun. That’s the whole difference.

▶ What to actually watch: CADA — the rulebook that replaces the badges

The proposed Cloud and AI Development Act (COM(2026) 502) would set four Union assurance levels for public procurement. Its own recitals concede the point: Cybersecurity Act certification “is not suited for addressing sovereignty concerns.” National labels won’t be banned — but a SecNumCloud provider would still need separate Article 17 recognition. If it passes, the badge on the vendor’s website stops mattering and the assurance level starts. Meanwhile ANSSI + BSI have jointly committed to common criteria specifying where failure is disqualifying.

✓ The six questions to ask any vendor
1Who is your ultimate parent, and where is it incorporated?
2Will you state in writing that you’re not subject to non-EU extraterritorial law?
3What % of capital & voting rights is held by non-EU entities?
4Who holds the keys — and can you be compelled to produce them?
5Which of your certs tests ownership, and which tests practice?
6What is your CADA recognition roadmap?
If a vendor can’t answer #1 and #3 immediately, the rest of the meeting is theatre. And check the layer: sovereign infrastructure under a non-EU-controlled SaaS layer is not a sovereign stack.
The take

Microsoft showed the gap better than any critic: May 2025 — encryption makes access “technically impossible.” One month later — cannot guarantee immunity from US authorities. Thirty days between the marketing and the law. SecNumCloud doesn’t ban American technology — it forces a change of control over it (hence S3NS = Thales+Google, Bleu = Capgemini+Orange on Azure). Is it also protectionism? Partly, yes — and that critique is exactly why EUCS High+ died. Both things are true. Don’t ask if a provider is “sovereign” — the word has been marketed into meaninglessness. Ask the arithmetic: who owns you, and what law reaches you? Then check whether the answer is above or below 24% — including for the European champions nobody has asked.

Sources: ANSSI (SecNumCloud v3.2, qualified-provider catalogue) via Legiscope, Scalingo, Feel Agile, SoftwareSeni; BSI & AWS compliance docs (C5, ESC C5 report, GA Jan 2026); AWS Artifact (ESC-SRF); sota.io, euCloudCost (EUCS levels, stripped sovereignty tier, DORA CTPP designations Nov 2025); CADA COM(2026) 502 via cadafaq.com; ANSSI–BSI joint statement via BSI; Cross-Border Data Forum (protectionism critique); CISPE. CADA is a proposal; EUCS is unadopted. Ownership questions are open questions from public info, not assertions of non-compliance. Not legal advice — get counsel.
thorstenmeyerai.com

Implications of the 24% Ownership Cap for European Cloud Control

The 24% ownership rule is central to Europe’s efforts to secure legal sovereignty over critical AI and cloud infrastructure. Its application influences how foreign companies participate in the European market, potentially shaping ownership structures and control mechanisms. As providers adapt through joint ventures, the debate intensifies over whether arithmetic caps effectively prevent foreign influence or merely create legal workarounds.

This regulation impacts not only provider compliance but also the broader geopolitical landscape, as it tests the limits of sovereignty in a digital economy increasingly dominated by US and Chinese tech giants. The ongoing discussions may lead to regulatory refinements or new standards that better address control versus ownership issues, with significant implications for European data security and market independence.

Amazon

European cloud sovereignty certification

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

European Sovereignty Frameworks and the Rise of the 24% Rule

The concept of digital sovereignty in Europe has gained momentum, with frameworks like SecNumCloud and EUCS emphasizing legal control over data and infrastructure. Since 2016, France’s ANSSI has developed SecNumCloud, which uniquely combines security controls with legal sovereignty requirements, including strict ownership caps.

The 24% ownership rule emerged as a key measure to prevent non-EU entities from exerting disproportionate influence over cloud providers handling sensitive data. While other standards, like Germany’s C5, focus on controls and transparency, SecNumCloud’s arithmetic cap explicitly targets ownership and control.

Major US cloud providers are ineligible for direct SecNumCloud certification, prompting them to form joint ventures with European firms to circumvent the ownership limit, raising questions about the rule’s effectiveness and enforcement.

“Achieving compliance with the 24% rule is like a level 10 challenge—far more complex than traditional security standards—and it requires innovative ownership arrangements.”

— Scalingo CEO

Unclear Effectiveness and Future Regulatory Adjustments

While the 24% ownership rule is operational, its long-term effectiveness in preventing foreign influence remains uncertain. Critics argue that structured ownership through joint ventures could undermine the rule’s intent, and there is ongoing debate about whether control should be measured differently. It is also not yet clear how regulators will respond if widespread ownership circumventions become prevalent or if new legal challenges emerge.

Next Steps in European Sovereignty and Regulatory Evolution

Regulators and industry stakeholders are expected to closely monitor the implementation and enforcement of the 24% ownership rule. Discussions about potential regulatory refinements or new standards are likely, especially as more providers seek SecNumCloud certification. Additionally, the European Commission may consider legislative updates to address emerging circumvention strategies, with a focus on control and influence rather than just ownership.

In parallel, US and Chinese tech firms will continue to adapt through joint ventures and ownership structures, highlighting the ongoing tension between sovereignty goals and market participation.

Key Questions

What is the purpose of the 24% ownership rule in SecNumCloud?

The rule aims to prevent non-EU entities from exerting disproportionate legal control over cloud providers handling sensitive data, thereby ensuring European sovereignty.

Can foreign companies still participate in European cloud services under this rule?

Yes, through joint ventures or ownership structures that keep individual foreign ownership below 24%, foreign companies can participate while complying with the sovereignty standard.

Not necessarily. Critics argue that structured ownership can circumvent the rule, and the effectiveness of the cap depends on enforcement and potential regulatory updates.

How does SecNumCloud differ from other standards like C5?

SecNumCloud incorporates an arithmetic ownership cap for sovereignty, whereas standards like C5 focus on controls and transparency. C5 does not prevent foreign control but requires disclosure of jurisdiction.

Source: ThorstenMeyerAI.com

This content is for general information only and is not financial, tax or legal advice. Consult a qualified professional for decisions about your money.
You May Also Like

The Switch: You Never Owned the AI You Depend On

Recent events reveal how access to AI models can be revoked instantly, exposing dependence on external control rather than ownership. Here’s what’s happening.

Waves, Not a Wall: Inside DeepMind’s Map From AGI to Superintelligence

DeepMind researchers unveil a framework mapping the progression from AGI to ASI, highlighting pathways, challenges, and implications for AI development.

The Hidden Management Issues In AI’s Accurate Decision-Making

A recent experiment reveals that AI models can understand and analyze correctly but often fail to complete trustworthy, final actions due to internal management issues.

AmenGate: The Moment Before The Scroll

AmenGate introduces a prayer-based phone lock on iPhone designed to replace mindless scrolling with meaningful prayer, built for long-term trust and faithfulness.